[authorized_macs.authorize] returns noop

Alexander Clouter alex at digriz.org.uk
Thu Jan 6 18:48:21 CET 2011

Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> I think it's Arran who maintains that page, however the
>> rewrite_calling_station_id looks like it was palmed off me at some
>> stage.  That *is* needed unless you are quite-quite-mad and enjoy twenty
>> different representations for your MAC addresses in your databases :)
> Sure; we have something similar
> We *actually* abuse Postgres' macaddr datatype by doing this:
Goddamnit, first I discover all the CIDR bits and think how great that 
is, but I never thought to look if there was a MAC address one. 

> update request {
>   Calling-Station-Id = "%{sql:select '%{Calling-Station-Id}'::macaddr}"
> }
Not quite there, but it could be IC's entry for the DWTF? ;P

On a serious note, that is going to be a ballache if your SQL server 
goes walkies...

> ...which handles all the various cases quite nicely, but returns 
> Postgres' :-separated version, which is fine (and what we prefer).
My brain prefers ':', however '-' was in an RFC I read some time back 
when reading about Called-Station-Id's and SSID's:

>>> Anyone who wrote the page, and why it uses that method?
>> The page looks fine to me, is it the enforcing and checking for RFCness
> *What* RFCness?
Apparently, guessing this is Aaran spending too much absorbing the IETF 
website, RFC2865 says "though shalt use 'Call-Check' for mac-auth", I 
have not read it myself.
>> that seems overkill to you? Cisco switches use PAP instead of CHAP, but
>> other than that whats the problem?
> I've never seen a mac-auth implementation sending CHAP requests, which 
> seems like lunacy, so have never considered there might be a need to 
> execute the "authenticate" section, or synthesise a Cleartext-Password.
...but this is what makes HP special :)


I agree, is is rather daft, I'm surprised User-Password even appears for 
a PAP approach.

> But even so, I don't see the value in executing a modules .authorize 
> handler in the post-auth section, or having a whole separate Auth-Type 
> value.
Right, this I agree with, I nuke the request in authorize too.

> Shrug. Not a big deal really. To each his own.
Many ways to skin this cat...


Alexander Clouter
.sigmonster says: Really??  What a coincidence, I'm shallow too!!

More information about the Freeradius-Users mailing list